Steam Leak: 89 Million Accounts Allegedly Exposed on the Dark Web

Steam is facing a potential security threat as a listing offering data from 89 million accounts appeared on the dark web. If confirmed, this could be one of the largest data breaches in Valve’s gaming platform history.

The situation was brought to light by an X user named MellowOnline1, who referred to a LinkedIn post by Underdark AI. According to their investigation, a user going by the alias Machine1337 posted on a hacker forum, offering to sell the Steam database for $5,000.

Yesterday, an alleged major @Steam data breach occurred, compromising over 89 million user records (roughly two-thirds of all Steam accounts).

These datasets are being sold for over $5,000 on what appears to be a site akin to Mipped.

Mipped alongside their sister sites is a…

— Mellow_Online1 (@MellowOnline1) May 11, 2025

Analysts suggest the breach may involve accounts without two-factor authentication (2FA), making them vulnerable to hacking. Furthermore, the leaked personal data could be used in phishing attacks against users with better-protected profiles.

Initially, suspicions were directed at Valve itself, but the company officially denied any involvement. The focus then shifted to Twilio, suspected of leaking data through its 2FA system — a theory that was also debunked. Valve representatives clarified that the company has never used Twilio to protect Steam accounts.

Later, Valve issued a separate statement, confirming that Steam’s systems were not breached. According to the developers, the leak includes Portuguese phone numbers and outdated one-time codes, suggesting that the data might have originated from an external source.

Despite the lack of direct evidence of a hack, experts haven’t ruled out the possibility. The true source of the leak remains unknown.

What Should Users Do?

If you are not using two-factor authentication on Steam, change your password immediately. According to preliminary findings, accounts with Steam Guard and 2FA enabled are likely safe, as no critical information appears to have been compromised.

Valve reminds users to stay vigilant, avoid suspicious links, use unique passwords, and keep account protection features active.